EP4350549A1 - Calculator system and cyber security information evaluation method - Google Patents

Calculator system and cyber security information evaluation method Download PDF

Info

Publication number
EP4350549A1
EP4350549A1 EP22764988.6A EP22764988A EP4350549A1 EP 4350549 A1 EP4350549 A1 EP 4350549A1 EP 22764988 A EP22764988 A EP 22764988A EP 4350549 A1 EP4350549 A1 EP 4350549A1
Authority
EP
European Patent Office
Prior art keywords
security information
cyber security
evaluation
richness
information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
EP22764988.6A
Other languages
German (de)
French (fr)
Inventor
Yiwen Chen
Momoka Kasuya
Hiroki Yamazaki
Hiroyuki Higaki
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hitachi Ltd
Original Assignee
Hitachi Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hitachi Ltd filed Critical Hitachi Ltd
Publication of EP4350549A1 publication Critical patent/EP4350549A1/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q30/00Commerce
    • G06Q30/018Certifying business or products
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q50/00Information and communication technology [ICT] specially adapted for implementation of business processes of specific business sectors, e.g. utilities or tourism
    • G06Q50/10Services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q50/00Information and communication technology [ICT] specially adapted for implementation of business processes of specific business sectors, e.g. utilities or tourism
    • G06Q50/10Services
    • G06Q50/26Government or public services

Definitions

  • This invention relates to a system and a method which determine a value of cyber security information.
  • a cyber attack information processing program causes a computer to execute storing processing and updating processing.
  • the storing processing when information on a cyber attack is acquired, the information on the cyber attack is stored in a storage unit in association with reliability based on an acquisition source of the information on the cyber attack.
  • the updating processing when it is detected that posted information corresponding to the information on the cyber attack is uploaded from an information processing terminal, the reliability associated with the information on the cyber attack is updated in accordance with reliability relating to the posted information.”
  • the value of the cyber security information is low.
  • the disclosure target of the cyber security information is the medical field but the analysis target is the automobile field
  • the value is low.
  • the disclosure target of the cyber security information is a product A but the analysis target is a product B.
  • This invention is to provide a system and a method which evaluate richness of contents of cyber security information in consideration of a target, and automatically determine a value of the cyber security information.
  • a computer system comprises: at least one computer; a freshness evaluation module configured to evaluate freshness of cyber security information; a reliability evaluation module configured to evaluate a level of reliability of an information source of the cyber security information; a richness evaluation module configured to evaluate richness of a content of the cyber security information; and a value evaluation module configured to evaluate a value of the cyber security information based on evaluation results obtained by the freshness evaluation module, the reliability evaluation module, and the richness evaluation module.
  • the richness evaluation module is configured to: identify a target of application of the cyber security information; and evaluate the richness of the content of the cyber security information in the identified target.
  • FIG. 1 is a diagram for illustrating a configuration example of a system according to a first embodiment of this invention.
  • FIG. 2 is a diagram for illustrating a configuration example of each computer included in the system according to the first embodiment.
  • a system 100 is a system which evaluates a value of information collected from information sources (providers) such as SNSs, Webs, and organizations, and is formed of at least one computer 200.
  • the system 100 may include a storage system, a network switch, a gateway, and the like.
  • a type and contents of the information to be collected are not limited in this invention.
  • the processor 201 is an arithmetic device which executes a program stored in the main storage device 203.
  • the processor 201 executes processing in accordance with the program, to thereby operate as a function module (module) for implementing a specific function.
  • a function module module
  • the description indicates that the processor 201 is executing the program for implementing the function module.
  • the network interface 202 is an interface for communication to and from an external device via a network.
  • the main storage device 203 is a storage device which stores programs executed by the processor 201 and information used by the programs, and is, for example, a dynamic random access memory (DRAM).
  • the main storage device 203 is used also as a work area.
  • the secondary storage device 204 is a storage device which permanently stores information, and is, for example, a hard disk drive (HDD), a solid state drive (SSD), or the like.
  • the programs and information stored in the main storage device 203 may be stored in the secondary storage device 204.
  • the processor 201 reads out the programs and information from the secondary storage device 204, and loads the programs and information onto the main storage device 203.
  • the system 100 includes an input module 110, a preprocessing module 111, a freshness evaluation module 112, a reliability evaluation module 113, a target determination module 114, a richness evaluation module 115, a total evaluation value calculation module 116, a value evaluation module 117, and an output module 118. Moreover, the system 100 holds an information source DB 120, a plurality of structured DBs 121, and a collection information DB 122.
  • the information source DB 120 is a database which manages information on information sources.
  • data including, for example, types of information sources and names and the like of organizations and the like being the information sources is stored.
  • the types of information sources are, for example, the Auto-ISAC and SNS.
  • the structured DB 121 is a database which manages words used in a target (a field, a product, or the like). In this embodiment, it is assumed that one structured DB 121 exists for one target. The system 100 manages the target and the structured DB 121 in association with each other. In the structured DB 121, data including, for example, words and categories is stored.
  • the categories may have a hierarchical structure such as large categories, medium categories, and small categories. For example, in a case of categories of the security, the larger category is "security,” and the medium categories are "attack source,” "countermeasure,” and the like.
  • the system 100 may hold a structured DB 121 which belongs to none of the targets.
  • the collection information DB 122 is a database which manages cyber security information input to the system 100.
  • cyber security information having an ID assigned thereto is stored.
  • the cyber security information in this embodiment includes a document formed of character strings.
  • the cyber security information may include images and graphs, for example.
  • the input module 110 receives input of the cyber security information and information to be used for processing such as threshold values.
  • the input module 110 provides an interface for receiving input of the various types of setting information.
  • the input module 110 outputs the cyber security information to the preprocessing module 111, and stores the cyber security information having the ID assigned thereto in the collection information DB 122.
  • the input module 110 outputs the setting information to be used for the processing such as the threshold values to each function module. In FIG. 1 , the input module 110 outputs, to the value evaluation module 117, a threshold value for selecting valuable cyber security information.
  • the preprocessing module 111 executes preprocessing for the cyber security information.
  • the preprocessing is, for example, conversion, formatting, coupling, and normalization of data.
  • the freshness evaluation module 112 evaluates freshness of the cyber security information based on a date of creation, a date of update, a frequency of update, and the like of the cyber security information, to thereby calculate a freshness evaluation value.
  • the reliability evaluation module 113 evaluates a level of reliability of the information source of the cyber security information based on the information source and the like of the cyber security information, to thereby calculate a reliability evaluation value.
  • the target determination module 114 determines a target of application of the cyber security information through use of the structured DBs 121.
  • the richness evaluation module 115 evaluates richness of contents of the cyber security information in any target, to thereby calculate a richness evaluation value.
  • the total evaluation value calculation module 116 calculates a total evaluation value through use of the freshness evaluation value, the reliability evaluation value, and the richness evaluation value.
  • the value evaluation module 117 uses the total evaluation value to select cyber security information having a high value for the target determined by the target determination module 114.
  • the output module 118 outputs, as evaluation information, information on the cyber security information selected by the value evaluation module 117.
  • the output module 118 provides an interface for displaying the evaluation information.
  • a plurality of function modules may be combined into one function module, or one function module may be divided into a plurality of function modules each corresponding to a relevant function.
  • the richness evaluation module 115 may have the function of the target determination module 114.
  • the value evaluation module 117 may have the function of the total evaluation value calculation module 116.
  • FIG. 3 is a flowchart for illustrating an example of registration processing for the structured DB 121 executed by the system 100 according to the first embodiment.
  • FIG. 4 is a view for illustrating an example of a screen presented by the system 100 according to the first embodiment.
  • a user uses a terminal or the like to access the system 100, to thereby transmit a registration start request for a structured DB 121.
  • the input module 110 of the system 100 receives this registration start request, the input module 110 presents a screen 400 of FIG. 4 (Step S101).
  • the screen 400 includes a target input field 401, a DB input field 402, and a registration button 403.
  • the target input field 401 is a field for inputting a target of the structured DB 121.
  • the DB input field 402 is a field for inputting the structured DB 121.
  • a file which is a substance of the structured DB 121 or a file path, a URL, or the like of the structured DB 121 is input.
  • the registration button 403 is an operation button for registering the structured DB 121. In a case where the user inputs data into the target input field 401 and the DB input field 402, and operates the registration button 403, a registration request is transmitted to the system 100.
  • the input module 110 registers the structured DB 121 in association with the target (Step S102).
  • FIG. 5 is a flowchart for illustrating an example of cyber security information evaluation processing executed by the system 100 according to the first embodiment.
  • FIG. 6 is a view for illustrating an example of a screen presented by the system 100 according to the first embodiment.
  • FIG. 7 , FIG. 8 , and FIG. 9 are tables for showing examples of information to be used by the system 100 according to the first embodiment in the cyber security information evaluation processing.
  • the user uses a terminal or the like to access the system 100, to thereby transmit an evaluation start request for cyber security information.
  • the input module 110 of the system 100 receives this evaluation start request, the input module 110 presents a screen 600 of FIG. 6 (Step S201).
  • the screen 600 includes a cyber security information input field 601, an addition button 602, and an evaluation button 603.
  • the cyber security information input field 601 is a field for inputting the cyber security information to be evaluated.
  • a file which is a substance of the cyber security information or a file path, a URL, or the like of the cyber security information is input.
  • the addition button 602 is an operation button for adding the cyber security information input field 601.
  • the evaluation button 603 is an operation button for evaluating the cyber security information. In a case where the user inputs data into the cyber security information input field 601, and operates the evaluation button 603, an evaluation request is transmitted to the system 100.
  • the input module 110 In a case where the input module 110 receives the evaluation request, the input module 110 stores the cyber security information input by the user in the collection information DB 122 (Step S202), and outputs the cyber security information to the preprocessing module 111.
  • the preprocessing module 111 executes preprocessing for the cyber security information (Step S203).
  • a content of the preprocessing to be executed is not limited in this invention. Moreover, the preprocessing is not required be executed.
  • Step S204 loop processing for the cyber security information is started (Step S204). Specifically, the preprocessing module 111 selects one piece of cyber security information, and outputs the selected cyber security information to the freshness evaluation module 112, the reliability evaluation module 113, and the target determination module 114.
  • the freshness evaluation module 112 calculates a freshness evaluation value Cj indicating the freshness of the cyber security information based on the date of creation, the date of update, the number of times of update, and the like of the cyber security information (Step S205), and outputs the freshness evaluation value Cj to the total evaluation value calculation module 116.
  • the evaluation method for the freshness it is only required to use a publicly-known technology, and hence a detailed description thereof is omitted.
  • the target determination module 114 executes target determination processing (Step S207). Specifically, the following processing is executed.
  • Step S207-1 The target determination module 114 selects one target, and refers to the structured DB 121 corresponding to this target. At this time, the target determination module 114 registers an entry in intermediate information 700.
  • the intermediate information 700 stores entries each formed of an information ID 701 and a relevance degree 702.
  • the information ID 701 is a field for storing the ID of the cyber security information.
  • the relevance degree 702 is a field group for storing relevance degrees each indicating relevance of the cyber security information to a target.
  • the relevance degree 702 includes one or more columns of the targets.
  • the correlation degree 702 of the added entry is blank.
  • the target determination module 114 uses the structured DB 121 to analyze documents included in the cyber security information, to thereby extracts topics relating to the selected target.
  • the target determination module 114 calculates the relevance degree indicating the relevance of the cyber security information to the selected target based on the number of extracted topics, contents, and the like.
  • the target determination module 114 refers to the relevance degree 702 of the entry added to the intermediate information 700, and stores the relevance degree in the column of the selected target.
  • the calculation method for the relevance degree is an example, and the calculation method is not limited to this example.
  • the calculation method may be a method of calculating the relevance degree by inputting documents into a model generated through machine learning.
  • Step S207-3 The target determination module 114 determines whether or not the processing is completed for all of the targets. In a case where the processing has not been completed for all of the targets, the process returns to Step S207-1, and the target determination module 114 executes similar processing.
  • Step S207-4 In a case where the processing has been completed for all of the targets, the target determination module 114 refers to the intermediate information 700, to thereby select a target having the highest relevance degree, and outputs identification information on the selected target to the richness evaluation module 115. After that, the target determination module 114 finishes the target determination processing.
  • the target determination module 114 may ask the user for selection of the target through the output module 118, or may select the plurality of targets. Moreover, the target determination module 114 may output, to the richness evaluation module 115, a value indicating that the cyber security information belongs to none of the targets.
  • the user may specify, in advance, a type of targets to be determined by the target determination module 114.
  • the richness evaluation module 115 calculates a richness evaluation value C 3 indicating the richness of the contents of the cyber security information in the target selected by the target determination module 114 (Step S208), and outputs the richness evaluation value C 3 to the total evaluation value calculation module 116. Specifically, the following processing is executed.
  • Step S208-1) The richness evaluation module 115 adds an entry to intermediate information 800.
  • the intermediate information 800 stores entries each formed of an information ID 801, a target 802, and an item count 803.
  • the information ID 801 is a field for storing the ID of the cyber security information.
  • the target 802 is a field for storing identification information on the target. In the target 802, a name, an identification number, or the like of the target is stored.
  • the item count 803 is a field group for storing numbers of items relevant to the target in the cyber security information. In the item count 803, the number of items is managed for each category. When the category is hierarchical, the numbers of items is managed in each intermediate category as a unit or each small category as a unit. In the intermediate information 800 of FIG. 8 , the numbers of items are managed in each intermediate category as a unit.
  • the richness evaluation module 115 adds as many entries as the number of categories.
  • Step S208-2 The richness evaluation module 115 uses the structured DB 121 corresponding to the selected target to count the number of items (character strings such as words) in each category, and stores the number in the item count 803 of the entry of the intermediate information 800.
  • N i represents a total number of words in the category " i " registered in the structured DB 121.
  • a i represents the number of words in the category "i” included in the cyber security information.
  • the symbol p i represents a weight for the category " i .” It is assumed that the weight p i is set in advance. The user can set the weight p i to any value. It is possible to adjust the weight, to thereby evaluate the richness of the content of the cyber security information relating to a category of interest. In a case where the number of categories is two, any " p " may be used to set pi to p , and p 2 to 1- p .
  • the richness evaluation module 115 outputs the richness evaluation value C 3 along with the identification information on each target.
  • the richness evaluation module 115 uses the structured DB 121 depending on none of the targets to calculate the richness evaluation value C 3 .
  • the total evaluation value calculation module 116 calculates a total evaluation value (Step S209). Specifically, the following processing is executed.
  • Step S209-1 The total evaluation value calculation module 116 adds an entry to intermediate information 900.
  • the intermediate information 900 stores entries each formed of an information ID 901, a target 902, a freshness 903, a reliability 904, a richness 905, and a total evaluation 906.
  • the information ID 901 is a field for storing the ID of the cyber security information.
  • the target 902 is a field for storing identification information on the target.
  • the freshness 903 is a field for storing the freshness evaluation value C 1 .
  • the reliability 904 is a field for storing the reliability evaluation value C 2 .
  • the richness 905 is a field for storing the richness evaluation value C 3 .
  • the total evaluation 906 is a field for storing the total evaluation value.
  • the total evaluation 906 of the added entry of the intermediate information 900 is blank.
  • Step S209-3 The total evaluation value calculation module 116 notifies the preprocessing module 111 of the completion of the processing.
  • the preprocessing module 111 determines whether or not the processing has been completed for all of the pieces of cyber security information input by the user (Step S210).
  • the process returns to Step S204, and the preprocessing module 111 executes similar processing.
  • the preprocessing module 111 instructs the total evaluation value calculation module 116 to output the intermediate information 900.
  • the total evaluation value calculation module 116 which has received this instruction, outputs the intermediate information 900 to the value evaluation module 117.
  • the value evaluation module 117 In a case where the intermediate information 900 is input, the value evaluation module 117 generates the evaluation information based on the intermediate information 900 (Step S211), and outputs the evaluation information to the output module 118. Specifically, the following processing is executed.
  • Step S211-1) The value evaluation module 117 selects one target.
  • Step S211-2 The value evaluation module 117 searches for an entry of the intermediate information 900 that stores, in the target 902, the identification information on the selected target.
  • Step S211-3 The value evaluation module 117 compares the total evaluation value stored in the total evaluation 906 of the retrieved entry and the threshold value with each other, to thereby determine whether or not the cyber security information corresponding to the retrieved entry has a high value in the target corresponding to the retrieved entry. For example, in a case where the total evaluation value is larger than the threshold value, the value evaluation module 117 determines that the value of the cyber security information is high in the target.
  • the value evaluation module 117 deletes, from the intermediate information 900, entries of the cyber security information each having a low value. The value evaluation module 117 is not required to delete the entry. It is possible to reconsider data included in cyber security information by presenting that the value of this cyber security information is low for a certain target.
  • Step S211-4 The value evaluation module 117 determines whether or not the processing is completed for all of the targets.
  • the process returns to Step S211-1, and the value evaluation module 117 executes similar processing.
  • the value evaluation module 117 generates the intermediate information 900 as the evaluation information.
  • the output module 118 presents the evaluation information to the user (Step S212).
  • Step S205, Step S206, Step S207, and Step S208 may be executed in a different order or in parallel.
  • the user can identify cyber security information having high values for the intended targets by referring the evaluation information. Moreover, the user can recognize for which target each piece of cyber security information is valuable by referring the evaluation information.
  • the user when technical fields are set as the targets, the user can recognize the value of cyber security information for each of the technical fields. Moreover, the user can identify cyber security information having a high value in a specific technical field. For example, when products are set as the targets, the user can recognize the value of cyber security information for each of the products. Moreover, the user can identify cyber security information having a high value for a specific product.
  • the present invention is not limited to the above embodiment and includes various modification examples.
  • the configurations of the above embodiment are described in detail so as to describe the present invention comprehensibly.
  • the present invention is not necessarily limited to the embodiment that is provided with all of the configurations described.
  • a part of each configuration of the embodiment may be removed, substituted, or added to other configurations.
  • a part or the entirety of each of the above configurations, functions, processing units, processing means, and the like may be realized by hardware, such as by designing integrated circuits therefor.
  • the present invention can be realized by program codes of software that realizes the functions of the embodiment.
  • a storage medium on which the program codes are recorded is provided to a computer, and a CPU that the computer is provided with reads the program codes stored on the storage medium.
  • the program codes read from the storage medium realize the functions of the above embodiment, and the program codes and the storage medium storing the program codes constitute the present invention.
  • Examples of such a storage medium used for supplying program codes include a flexible disk, a CD-ROM, a DVD-ROM, a hard disk, a solid state drive (SSD), an optical disc, a magneto-optical disc, a CD-R, a magnetic tape, a non-volatile memory card, and a ROM.
  • SSD solid state drive
  • the program codes that realize the functions written in the present embodiment can be implemented by a wide range of programming and scripting languages such as assembler, C/C++, Perl, shell scripts, PHP, Python and Java.
  • the program codes of the software that realizes the functions of the embodiment are stored on storing means such as a hard disk or a memory of the computer or on a storage medium such as a CD-RW or a CD-R by distributing the program codes through a network and that the CPU that the computer is provided with reads and executes the program codes stored on the storing means or on the storage medium.
  • control lines and information lines that are considered as necessary for description are illustrated, and all the control lines and information lines of a product are not necessarily illustrated. All of the configurations of the embodiment may be connected to each other.

Landscapes

  • Engineering & Computer Science (AREA)
  • Business, Economics & Management (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Tourism & Hospitality (AREA)
  • Economics (AREA)
  • Marketing (AREA)
  • General Business, Economics & Management (AREA)
  • Strategic Management (AREA)
  • Computing Systems (AREA)
  • Human Resources & Organizations (AREA)
  • Primary Health Care (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Development Economics (AREA)
  • Educational Administration (AREA)
  • Entrepreneurship & Innovation (AREA)
  • Accounting & Taxation (AREA)
  • Finance (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)
  • Storage Device Security (AREA)

Abstract

A computer system comprises a freshness evaluation module configured to evaluate freshness of cyber security information; a reliability evaluation module configured to evaluate a level of reliability of an information source of the cyber security information; a richness evaluation module configured to evaluate richness of a content of the cyber security information; and a value evaluation module configured to evaluate a value of the cyber security information based on evaluation results obtained by the freshness evaluation module, the reliability evaluation module, and the richness evaluation module. The richness evaluation module is configured to: identify a target of application of the cyber security information; and evaluate the richness of the content of the cyber security information in the identified target.

Description

    INCORPORATION BY REFERENCE
  • The present application claims priority to Japanese Patent Application No. 2021-87011 filed on May 24, 2021 , the content of which is incorporated herein by reference.
  • BACKGROUND OF THE INVENTION
  • This invention relates to a system and a method which determine a value of cyber security information.
  • In recent years, importance of countermeasures against cyber attacks has increased. For example, in ISO 21434 being an international standard relating to cyber security for vehicles, long-term cyber security policies are required more as digitization of control systems for vehicles have progressed.
  • In the cyber security policies, it is required to collect and analyze information (cyber security information) on threat, vulnerability, and the like. The collection and the analysis of the information are executed by, for example, a product security incident response team (PSIRT).
  • In recent years, an infrastructure for sharing the cyber security information has been built. There exist systems and tools which automatically collect the cyber security information from this infrastructure. However, it is required to manually determine a value of the collected cyber security information, and there is a problem in that man-hours required for the check are large. Thus, a system which automatically evaluates the cyber security information is required. For this purpose, there are known technologies as described in JP 2019-101672 A and Lei Li, Xiaoyong Li, Y. Gao, "MTIV: A Trustworthiness Determination Approach for Threat Intelligence," Security, Privacy, and Anonymity in Computation, Communication, and Storage, pp. 5-14.
  • In JP 2019-101672 A , there is a description "A cyber attack information processing program according to an embodiment causes a computer to execute storing processing and updating processing. In the storing processing, when information on a cyber attack is acquired, the information on the cyber attack is stored in a storage unit in association with reliability based on an acquisition source of the information on the cyber attack. In the updating processing, when it is detected that posted information corresponding to the information on the cyber attack is uploaded from an information processing terminal, the reliability associated with the information on the cyber attack is updated in accordance with reliability relating to the posted information."
  • In Lei Li, Xiaoyong Li, Y. Gao, "MTIV: A Trustworthiness Determination Approach for Threat Intelligence," Security, Privacy, and Anonymity in Computation, Communication, and Storage, pp. 5-14, there is described a method of calculating trustworthiness of information based on similarity in an information source, times such as publication date and time and update date and time, and information.
  • SUMMARY OF THE INVENTION
  • Even when the information source is reliable and contents are accurate, in a case in which targets, such as a field and a product, of disclosure targets of the cyber security information are not relevant to targets, such as a field and a product, of analysis targets, the value of the cyber security information is low. For example, in a case in which the disclosure target of the cyber security information is the medical field but the analysis target is the automobile field, even when an information source of this cyber security information is reliable and accurate contents are described, the value is low. Moreover, the same is true for a case in which the disclosure target of the cyber security information is a product A but the analysis target is a product B.
  • However, in the related art, richness of the contents of the cyber security information is not evaluated in consideration of the target, and hence the information cannot be narrowed down as described above.
  • This invention is to provide a system and a method which evaluate richness of contents of cyber security information in consideration of a target, and automatically determine a value of the cyber security information.
  • A representative example of the present invention disclosed in this specification is as follows: a computer system comprises: at least one computer; a freshness evaluation module configured to evaluate freshness of cyber security information; a reliability evaluation module configured to evaluate a level of reliability of an information source of the cyber security information; a richness evaluation module configured to evaluate richness of a content of the cyber security information; and a value evaluation module configured to evaluate a value of the cyber security information based on evaluation results obtained by the freshness evaluation module, the reliability evaluation module, and the richness evaluation module. The richness evaluation module is configured to: identify a target of application of the cyber security information; and evaluate the richness of the content of the cyber security information in the identified target.
  • According to this invention, it is possible to evaluate the richness of the contents of the cyber security information in consideration of the target, and to automatically determine the value of the cyber security information. Other problems, configurations, and effects than those described above will become apparent in the descriptions of embodiments below.
  • BRIEF DESCRIPTION OF THE DRAWINGS
  • The present invention can be appreciated by the description which follows in conjunction with the following figures, wherein:
    • FIG. 1 is a diagram for illustrating a configuration example of a system according to a first embodiment of this invention;
    • FIG. 2 is a diagram for illustrating a configuration example of each computer included in the system according to the first embodiment;
    • FIG. 3 is a flowchart for illustrating an example of registration processing for a structured DB executed by the system according to the first embodiment;
    • FIG. 4 is a view for illustrating an example of a screen presented by the system according to the first embodiment;
    • FIG. 5 is a flowchart for illustrating an example of cyber security information evaluation processing executed by the system according to the first embodiment;
    • FIG. 6 is a view for illustrating an example of a screen presented by the system according to the first embodiment; and
    • FIG. 7, FIG. 8, and FIG. 9 are tables for showing examples of information to be used by the system according to the first embodiment in the cyber security information evaluation processing.
    DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS
  • Now, a description is given of an embodiment of this invention referring to the drawings. It should be noted that this invention is not to be construed by limiting the invention to the content described in the following embodiment. A person skilled in the art would easily recognize that a specific configuration described in the following embodiment may be changed within the scope of the concept and the gist of this invention.
  • In a configuration of this invention described below, the same or similar components or functions are assigned with the same reference numerals, and a redundant description thereof is omitted here.
  • Notations of, for example, "first", "second", and "third" herein are assigned to distinguish between components, and do not necessarily limit the number or order of those components.
  • The position, size, shape, range, and others of each component illustrated in, for example, the drawings may not represent the actual position, size, shape, range, and other metrics in order to facilitate understanding of this invention. Thus, this invention is not limited to the position, size, shape, range, and others described in, for example, the drawings.
  • [First Embodiment]
  • FIG. 1 is a diagram for illustrating a configuration example of a system according to a first embodiment of this invention. FIG. 2 is a diagram for illustrating a configuration example of each computer included in the system according to the first embodiment.
  • A system 100 is a system which evaluates a value of information collected from information sources (providers) such as SNSs, Webs, and organizations, and is formed of at least one computer 200. The system 100 may include a storage system, a network switch, a gateway, and the like.
  • In this embodiment, it is assumed that cyber security information is collected. A type and contents of the information to be collected are not limited in this invention.
  • As illustrated in FIG. 2, the computer 200 includes a processor 201, a network interface 202, a main storage device 203, and a secondary storage device 204. The computer 200 may include an input device such as a keyboard, a mouse, and a touch panel and an output device such as a display.
  • The processor 201 is an arithmetic device which executes a program stored in the main storage device 203. The processor 201 executes processing in accordance with the program, to thereby operate as a function module (module) for implementing a specific function. In the following description, when the processing is described with a function module as the subject, the description indicates that the processor 201 is executing the program for implementing the function module.
  • The network interface 202 is an interface for communication to and from an external device via a network.
  • The main storage device 203 is a storage device which stores programs executed by the processor 201 and information used by the programs, and is, for example, a dynamic random access memory (DRAM). The main storage device 203 is used also as a work area. The secondary storage device 204 is a storage device which permanently stores information, and is, for example, a hard disk drive (HDD), a solid state drive (SSD), or the like.
  • The programs and information stored in the main storage device 203 may be stored in the secondary storage device 204. In this case, the processor 201 reads out the programs and information from the secondary storage device 204, and loads the programs and information onto the main storage device 203.
  • The system 100 includes an input module 110, a preprocessing module 111, a freshness evaluation module 112, a reliability evaluation module 113, a target determination module 114, a richness evaluation module 115, a total evaluation value calculation module 116, a value evaluation module 117, and an output module 118. Moreover, the system 100 holds an information source DB 120, a plurality of structured DBs 121, and a collection information DB 122.
  • The information source DB 120 is a database which manages information on information sources. In the information source DB 120, data including, for example, types of information sources and names and the like of organizations and the like being the information sources is stored. The types of information sources are, for example, the Auto-ISAC and SNS.
  • The structured DB 121 is a database which manages words used in a target (a field, a product, or the like). In this embodiment, it is assumed that one structured DB 121 exists for one target. The system 100 manages the target and the structured DB 121 in association with each other. In the structured DB 121, data including, for example, words and categories is stored. The categories may have a hierarchical structure such as large categories, medium categories, and small categories. For example, in a case of categories of the security, the larger category is "security," and the medium categories are "attack source," "countermeasure," and the like.
  • The system 100 may hold a structured DB 121 which belongs to none of the targets.
  • The collection information DB 122 is a database which manages cyber security information input to the system 100. In the collection information DB 122, for example, cyber security information having an ID assigned thereto is stored.
  • It is assumed that the cyber security information in this embodiment includes a document formed of character strings. However, the cyber security information may include images and graphs, for example.
  • The input module 110 receives input of the cyber security information and information to be used for processing such as threshold values. The input module 110 provides an interface for receiving input of the various types of setting information. The input module 110 outputs the cyber security information to the preprocessing module 111, and stores the cyber security information having the ID assigned thereto in the collection information DB 122. The input module 110 outputs the setting information to be used for the processing such as the threshold values to each function module. In FIG. 1, the input module 110 outputs, to the value evaluation module 117, a threshold value for selecting valuable cyber security information.
  • The preprocessing module 111 executes preprocessing for the cyber security information. The preprocessing is, for example, conversion, formatting, coupling, and normalization of data.
  • The freshness evaluation module 112 evaluates freshness of the cyber security information based on a date of creation, a date of update, a frequency of update, and the like of the cyber security information, to thereby calculate a freshness evaluation value. The reliability evaluation module 113 evaluates a level of reliability of the information source of the cyber security information based on the information source and the like of the cyber security information, to thereby calculate a reliability evaluation value.
  • The target determination module 114 determines a target of application of the cyber security information through use of the structured DBs 121. The richness evaluation module 115 evaluates richness of contents of the cyber security information in any target, to thereby calculate a richness evaluation value.
  • The total evaluation value calculation module 116 calculates a total evaluation value through use of the freshness evaluation value, the reliability evaluation value, and the richness evaluation value. The value evaluation module 117 uses the total evaluation value to select cyber security information having a high value for the target determined by the target determination module 114.
  • The output module 118 outputs, as evaluation information, information on the cyber security information selected by the value evaluation module 117. The output module 118 provides an interface for displaying the evaluation information.
  • Regarding the respective function modules of the system 100, a plurality of function modules may be combined into one function module, or one function module may be divided into a plurality of function modules each corresponding to a relevant function. For example, the richness evaluation module 115 may have the function of the target determination module 114. Moreover, the value evaluation module 117 may have the function of the total evaluation value calculation module 116.
  • A specific description is now given of processing executed by the system 100.
  • FIG. 3 is a flowchart for illustrating an example of registration processing for the structured DB 121 executed by the system 100 according to the first embodiment. FIG. 4 is a view for illustrating an example of a screen presented by the system 100 according to the first embodiment.
  • A user uses a terminal or the like to access the system 100, to thereby transmit a registration start request for a structured DB 121. In a case where the input module 110 of the system 100 receives this registration start request, the input module 110 presents a screen 400 of FIG. 4 (Step S101).
  • The screen 400 includes a target input field 401, a DB input field 402, and a registration button 403. The target input field 401 is a field for inputting a target of the structured DB 121. The DB input field 402 is a field for inputting the structured DB 121. Into the DB input field 402, a file which is a substance of the structured DB 121 or a file path, a URL, or the like of the structured DB 121 is input. The registration button 403 is an operation button for registering the structured DB 121. In a case where the user inputs data into the target input field 401 and the DB input field 402, and operates the registration button 403, a registration request is transmitted to the system 100.
  • In a case where the input module 110 receives the registration request, the input module 110 registers the structured DB 121 in association with the target (Step S102).
  • FIG. 5 is a flowchart for illustrating an example of cyber security information evaluation processing executed by the system 100 according to the first embodiment. FIG. 6 is a view for illustrating an example of a screen presented by the system 100 according to the first embodiment. FIG. 7, FIG. 8, and FIG. 9 are tables for showing examples of information to be used by the system 100 according to the first embodiment in the cyber security information evaluation processing.
  • The user uses a terminal or the like to access the system 100, to thereby transmit an evaluation start request for cyber security information. In a case where the input module 110 of the system 100 receives this evaluation start request, the input module 110 presents a screen 600 of FIG. 6 (Step S201).
  • The screen 600 includes a cyber security information input field 601, an addition button 602, and an evaluation button 603. The cyber security information input field 601 is a field for inputting the cyber security information to be evaluated. Into the cyber security information input field 601, a file which is a substance of the cyber security information or a file path, a URL, or the like of the cyber security information is input. The addition button 602 is an operation button for adding the cyber security information input field 601. The evaluation button 603 is an operation button for evaluating the cyber security information. In a case where the user inputs data into the cyber security information input field 601, and operates the evaluation button 603, an evaluation request is transmitted to the system 100.
  • In a case where the input module 110 receives the evaluation request, the input module 110 stores the cyber security information input by the user in the collection information DB 122 (Step S202), and outputs the cyber security information to the preprocessing module 111.
  • The preprocessing module 111 executes preprocessing for the cyber security information (Step S203). A content of the preprocessing to be executed is not limited in this invention. Moreover, the preprocessing is not required be executed.
  • After that, loop processing for the cyber security information is started (Step S204). Specifically, the preprocessing module 111 selects one piece of cyber security information, and outputs the selected cyber security information to the freshness evaluation module 112, the reliability evaluation module 113, and the target determination module 114.
  • The freshness evaluation module 112 calculates a freshness evaluation value Cj indicating the freshness of the cyber security information based on the date of creation, the date of update, the number of times of update, and the like of the cyber security information (Step S205), and outputs the freshness evaluation value Cj to the total evaluation value calculation module 116. As the evaluation method for the freshness, it is only required to use a publicly-known technology, and hence a detailed description thereof is omitted.
  • The reliability evaluation module 113 calculates a reliability evaluation value C2 indicating the level of the reliability of the information source of the cyber security information based on the information on the information source of the cyber security information and the information source DB 120 (Step S206), and outputs the reliability evaluation value C2 to the total evaluation value calculation module 116. As the evaluation method for the reliability of the information source, it is only required to use a publicly-known technology, and hence a detailed description thereof is omitted.
  • The target determination module 114 executes target determination processing (Step S207). Specifically, the following processing is executed.
  • (Step S207-1) The target determination module 114 selects one target, and refers to the structured DB 121 corresponding to this target. At this time, the target determination module 114 registers an entry in intermediate information 700.
  • The intermediate information 700 stores entries each formed of an information ID 701 and a relevance degree 702. The information ID 701 is a field for storing the ID of the cyber security information. The relevance degree 702 is a field group for storing relevance degrees each indicating relevance of the cyber security information to a target. The relevance degree 702 includes one or more columns of the targets.
  • At this time point, the correlation degree 702 of the added entry is blank.
  • (Step S207-2) The target determination module 114 uses the structured DB 121 to analyze documents included in the cyber security information, to thereby extracts topics relating to the selected target. The target determination module 114 calculates the relevance degree indicating the relevance of the cyber security information to the selected target based on the number of extracted topics, contents, and the like. The target determination module 114 refers to the relevance degree 702 of the entry added to the intermediate information 700, and stores the relevance degree in the column of the selected target.
  • The calculation method for the relevance degree is an example, and the calculation method is not limited to this example. The calculation method may be a method of calculating the relevance degree by inputting documents into a model generated through machine learning.
  • (Step S207-3) The target determination module 114 determines whether or not the processing is completed for all of the targets. In a case where the processing has not been completed for all of the targets, the process returns to Step S207-1, and the target determination module 114 executes similar processing.
  • (Step S207-4) In a case where the processing has been completed for all of the targets, the target determination module 114 refers to the intermediate information 700, to thereby select a target having the highest relevance degree, and outputs identification information on the selected target to the richness evaluation module 115. After that, the target determination module 114 finishes the target determination processing.
  • In a case where there exist a plurality of targets which have large relevance degrees and are different from one another by small amounts, the target determination module 114 may ask the user for selection of the target through the output module 118, or may select the plurality of targets. Moreover, the target determination module 114 may output, to the richness evaluation module 115, a value indicating that the cyber security information belongs to none of the targets.
  • The user may specify, in advance, a type of targets to be determined by the target determination module 114.
  • Description has been given of the processing step of Step S207.
  • The richness evaluation module 115 calculates a richness evaluation value C3 indicating the richness of the contents of the cyber security information in the target selected by the target determination module 114 (Step S208), and outputs the richness evaluation value C3 to the total evaluation value calculation module 116. Specifically, the following processing is executed.
  • (Step S208-1) The richness evaluation module 115 adds an entry to intermediate information 800.
  • The intermediate information 800 stores entries each formed of an information ID 801, a target 802, and an item count 803. One entry exists for a combination of the cyber security information and the target. The information ID 801 is a field for storing the ID of the cyber security information. The target 802 is a field for storing identification information on the target. In the target 802, a name, an identification number, or the like of the target is stored. The item count 803 is a field group for storing numbers of items relevant to the target in the cyber security information. In the item count 803, the number of items is managed for each category. When the category is hierarchical, the numbers of items is managed in each intermediate category as a unit or each small category as a unit. In the intermediate information 800 of FIG. 8, the numbers of items are managed in each intermediate category as a unit.
  • At this time point, the item count 803 of the added entry is blank.
  • In a case where a plurality of categories are input, the richness evaluation module 115 adds as many entries as the number of categories.
  • (Step S208-2) The richness evaluation module 115 uses the structured DB 121 corresponding to the selected target to count the number of items (character strings such as words) in each category, and stores the number in the item count 803 of the entry of the intermediate information 800.
  • (Step S208-3) The richness evaluation module 115 calculates the richness evaluation value C3 based on the number of items in each category. For example, Expression (1) is used to calculate the richness evaluation value C3.
    [Expression 1] C 3 = i p i N i A i
    Figure imgb0001
  • In this expression, "i" is a character indicating the type of the category. In this embodiment, it is assumed that an integer is assigned to each category. Ni represents a total number of words in the category "i" registered in the structured DB 121. Ai represents the number of words in the category "i" included in the cyber security information. The symbol pi represents a weight for the category "i." It is assumed that the weight pi is set in advance. The user can set the weight pi to any value. It is possible to adjust the weight, to thereby evaluate the richness of the content of the cyber security information relating to a category of interest. In a case where the number of categories is two, any "p" may be used to set pi to p, and p2 to 1-p.
  • In a case where a plurality of targets are selected, the richness of the contents of the cyber security information is calculated for each of the targets. In this case, the richness evaluation module 115 outputs the richness evaluation value C3 along with the identification information on each target.
  • In a case where the value indicating that the cyber security information belongs to none of the targets is input, the richness evaluation module 115 uses the structured DB 121 depending on none of the targets to calculate the richness evaluation value C3 .
  • Description has been given of the processing step of Step S208.
  • In a case where the freshness evaluation value C1 , the reliability evaluation value C2 , and the richness evaluation value C3 are input, the total evaluation value calculation module 116 calculates a total evaluation value (Step S209). Specifically, the following processing is executed.
  • (Step S209-1) The total evaluation value calculation module 116 adds an entry to intermediate information 900.
  • The intermediate information 900 stores entries each formed of an information ID 901, a target 902, a freshness 903, a reliability 904, a richness 905, and a total evaluation 906. One entry exists for a combination of the cyber security information and the target. The information ID 901 is a field for storing the ID of the cyber security information. The target 902 is a field for storing identification information on the target. The freshness 903 is a field for storing the freshness evaluation value C1. The reliability 904 is a field for storing the reliability evaluation value C2 . The richness 905 is a field for storing the richness evaluation value C3 . The total evaluation 906 is a field for storing the total evaluation value.
  • At this time point, the total evaluation 906 of the added entry of the intermediate information 900 is blank.
  • In a case where a plurality of richness evaluation values C3 associated with the identification information on the targets are input, as many entries as the number of targets are added.
  • (Step S209-2) The total evaluation value calculation module 116 uses, for example, Expression (2) to calculate the total evaluation value, and stores the total evaluation value in the total evaluation 906 of the added entry.
    [Expression 2] Total evaluation value = C 1 × C 2 × C 3 × q
    Figure imgb0002
  • In this expression, "q" represents a weight. It is assumed that the weight "q" is set in advance. The user can set the weight "q" to any value.
  • (Step S209-3) The total evaluation value calculation module 116 notifies the preprocessing module 111 of the completion of the processing.
  • Description has been given of the processing step of Step S209.
  • In a case where the preprocessing module 111 receives the notification from the total evaluation value calculation module 116, the preprocessing module 111 determines whether or not the processing has been completed for all of the pieces of cyber security information input by the user (Step S210).
  • In a case where the processing has not been completed for all of the pieces of cyber security information input by the user, the process returns to Step S204, and the preprocessing module 111 executes similar processing. In a case where the processing has been completed for all of the pieces of cyber security information input by the user, the preprocessing module 111 instructs the total evaluation value calculation module 116 to output the intermediate information 900. The total evaluation value calculation module 116, which has received this instruction, outputs the intermediate information 900 to the value evaluation module 117.
  • In a case where the intermediate information 900 is input, the value evaluation module 117 generates the evaluation information based on the intermediate information 900 (Step S211), and outputs the evaluation information to the output module 118. Specifically, the following processing is executed.
  • (Step S211-1) The value evaluation module 117 selects one target.
  • (Step S211-2) The value evaluation module 117 searches for an entry of the intermediate information 900 that stores, in the target 902, the identification information on the selected target.
  • (Step S211-3) The value evaluation module 117 compares the total evaluation value stored in the total evaluation 906 of the retrieved entry and the threshold value with each other, to thereby determine whether or not the cyber security information corresponding to the retrieved entry has a high value in the target corresponding to the retrieved entry. For example, in a case where the total evaluation value is larger than the threshold value, the value evaluation module 117 determines that the value of the cyber security information is high in the target. The value evaluation module 117 deletes, from the intermediate information 900, entries of the cyber security information each having a low value. The value evaluation module 117 is not required to delete the entry. It is possible to reconsider data included in cyber security information by presenting that the value of this cyber security information is low for a certain target.
  • (Step S211-4) The value evaluation module 117 determines whether or not the processing is completed for all of the targets.
  • In a case where the processing has not been completed for all of the targets, the process returns to Step S211-1, and the value evaluation module 117 executes similar processing. In a case where the processing has been completed for all of the targets, the value evaluation module 117 generates the intermediate information 900 as the evaluation information.
  • Description has been given of the processing step of Step S211.
  • When the evaluation information is input, the output module 118 presents the evaluation information to the user (Step S212).
  • The processing steps of Step S205, Step S206, Step S207, and Step S208 may be executed in a different order or in parallel.
  • The user can identify cyber security information having high values for the intended targets by referring the evaluation information. Moreover, the user can recognize for which target each piece of cyber security information is valuable by referring the evaluation information.
  • For example, when technical fields are set as the targets, the user can recognize the value of cyber security information for each of the technical fields. Moreover, the user can identify cyber security information having a high value in a specific technical field. For example, when products are set as the targets, the user can recognize the value of cyber security information for each of the products. Moreover, the user can identify cyber security information having a high value for a specific product.
  • According to this embodiment, it is possible to more accurately recognize the value of cyber security information to classify the cyber security information by identifying a target in which the cyber security information is to be evaluated and evaluating the richness of contents of the cyber security information in this target.
  • In a case of a system for classifying cyber security information to be analyzed, it is possible to narrow down cyber security information to cyber security information in a specific field, thereby being able to reduce man-hours required for the analysis.
  • The present invention is not limited to the above embodiment and includes various modification examples. In addition, for example, the configurations of the above embodiment are described in detail so as to describe the present invention comprehensibly. The present invention is not necessarily limited to the embodiment that is provided with all of the configurations described. In addition, a part of each configuration of the embodiment may be removed, substituted, or added to other configurations.
  • A part or the entirety of each of the above configurations, functions, processing units, processing means, and the like may be realized by hardware, such as by designing integrated circuits therefor. In addition, the present invention can be realized by program codes of software that realizes the functions of the embodiment. In this case, a storage medium on which the program codes are recorded is provided to a computer, and a CPU that the computer is provided with reads the program codes stored on the storage medium. In this case, the program codes read from the storage medium realize the functions of the above embodiment, and the program codes and the storage medium storing the program codes constitute the present invention. Examples of such a storage medium used for supplying program codes include a flexible disk, a CD-ROM, a DVD-ROM, a hard disk, a solid state drive (SSD), an optical disc, a magneto-optical disc, a CD-R, a magnetic tape, a non-volatile memory card, and a ROM.
  • The program codes that realize the functions written in the present embodiment can be implemented by a wide range of programming and scripting languages such as assembler, C/C++, Perl, shell scripts, PHP, Python and Java.
  • It may also be possible that the program codes of the software that realizes the functions of the embodiment are stored on storing means such as a hard disk or a memory of the computer or on a storage medium such as a CD-RW or a CD-R by distributing the program codes through a network and that the CPU that the computer is provided with reads and executes the program codes stored on the storing means or on the storage medium.
  • In the above embodiment, only control lines and information lines that are considered as necessary for description are illustrated, and all the control lines and information lines of a product are not necessarily illustrated. All of the configurations of the embodiment may be connected to each other.

Claims (11)

  1. A computer system, comprising:
    at least one computer;
    a freshness evaluation module configured to evaluate freshness of cyber security information;
    a reliability evaluation module configured to evaluate a level of reliability of an information source of the cyber security information;
    a richness evaluation module configured to evaluate richness of a content of the cyber security information; and
    a value evaluation module configured to evaluate a value of the cyber security information based on evaluation results obtained by the freshness evaluation module, the reliability evaluation module, and the richness evaluation module,
    the richness evaluation module being configured to:
    identify a target of application of the cyber security information; and
    evaluate the richness of the content of the cyber security information in the identified target.
  2. The computer system according to claim 1, wherein the richness evaluation module is configured to:
    calculate a relevance degree indicating relevance of the cyber security information to each of a plurality of targets; and
    identify the target based on the relevance degree of each of the plurality of targets.
  3. The computer system according to claim 2,
    wherein the computer system is configured to access a database which stores a character string relevant to each of the plurality of targets, and
    wherein the richness evaluation module is configured to evaluate the richness of the content of the cyber security information in the identified target by referring to the database to extract the character string which is included in the cyber security information and is relevant to the identified target.
  4. The computer system according to claim 3, wherein the value evaluation module is configured to:
    calculate a total evaluation value indicating a value of the cyber security information based on the evaluation results obtained by the freshness evaluation module, the reliability evaluation module, and the richness evaluation module; and
    select the cyber security information to be presented to a user based on the total evaluation value.
  5. An evaluation method for cyber security information, which is executed by a computer system including at least one computer, the evaluation method including:
    a first step of evaluating, by the at least one computer, freshness of cyber security information;
    a second step of evaluating, by the at least one computer, a level of reliability of an information source of the cyber security information;
    a third step of evaluating, by the at least one computer, richness of a content of the cyber security information; and
    a fourth step of evaluating, by the at least one computer, a value of the cyber security information based on evaluation results of the freshness of the cyber security information, the level of the reliability of the information source of the cyber security information, and the richness of the content of the cyber security information,
    wherein the third step includes:
    a fifth step of identifying, by the at least one computer, a target of application of the cyber security information; and
    a sixth step of evaluating, by the at least one computer, the richness of the content of the cyber security information in the identified target.
  6. The evaluation method for cyber security information according to claim 5, wherein the fifth step includes the steps of:
    calculating, by the at least one computer, a relevance degree indicating relevance of the cyber security information to each of a plurality of targets; and
    identifying, by the at least one computer, the target based on the relevance degree of each of the plurality of targets.
  7. The evaluation method for cyber security information according to claim 6,
    wherein the computer system is configured to access a database which stores a character string relevant to each of the plurality of targets, and
    wherein the third step includes a step of evaluating, by the at least one computer, the richness of the content of the cyber security information in the identified target by referring to the database to extract the character string which is included in the cyber security information and is relevant to the identified target.
  8. The evaluation method for cyber security information according to claim 7, wherein the fourth step includes the steps of:
    calculating, by the at least one computer, a total evaluation value indicating a value of the cyber security information based on the evaluation results of the freshness of the cyber security information, the level of the reliability of the information source of the cyber security information, and the richness of the content of the cyber security information; and
    selecting, by the at least one computer, the cyber security information to be presented to a user based on the total evaluation value.
  9. A computer system, comprising:
    at least one computer;
    a freshness evaluation module configured to calculate a freshness evaluation value indicating freshness of cyber security information;
    a reliability evaluation module configured to calculate a reliability evaluation value indicating a level of reliability of an information source of the cyber security information;
    a richness evaluation module configured to calculate a richness evaluation value indicating richness of a content of the cyber security information; and
    a value evaluation module configured to calculate a total evaluation value indicating a value of the cyber security information based on the freshness evaluation value, the reliability evaluation value, and the richness evaluation value,
    the computer system being configured to access a database which stores a character string relevant to each of a plurality of fields, and
    the richness evaluation module being configured to:
    identify a field of application of the cyber security information;
    refer to the database to extract the character string which is included in the cyber security information and is relevant to the identified field; and
    calculate the richness evaluation value based on a result of the extraction.
  10. The computer system according to claim 9, wherein the richness evaluation module is configured to:
    calculate a relevance degree indicating relevance of the cyber security information to each of the plurality of fields; and
    identify the field based on the relevance degree of each of the plurality of fields.
  11. The computer system according to claim 10, wherein the value evaluation module is configured to select the cyber security information to be presented to a user based on the total evaluation value.
EP22764988.6A 2021-05-24 2022-02-17 Calculator system and cyber security information evaluation method Pending EP4350549A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2021087011A JP2022180094A (en) 2021-05-24 2021-05-24 Computer system and evaluation method for cyber security information
PCT/JP2022/006470 WO2022249588A1 (en) 2021-05-24 2022-02-17 Calculator system and cyber security information evaluation method

Publications (1)

Publication Number Publication Date
EP4350549A1 true EP4350549A1 (en) 2024-04-10

Family

ID=84229821

Family Applications (1)

Application Number Title Priority Date Filing Date
EP22764988.6A Pending EP4350549A1 (en) 2021-05-24 2022-02-17 Calculator system and cyber security information evaluation method

Country Status (4)

Country Link
US (1) US20240104220A1 (en)
EP (1) EP4350549A1 (en)
JP (1) JP2022180094A (en)
WO (1) WO2022249588A1 (en)

Family Cites Families (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2007058514A (en) * 2005-08-24 2007-03-08 Mitsubishi Electric Corp Information processor, information processing method and program
EP3132569A4 (en) * 2014-04-18 2017-12-06 EntIT Software LLC Rating threat submitter
WO2017100534A1 (en) * 2015-12-11 2017-06-15 Servicenow, Inc. Computer network threat assessment
US9747570B1 (en) * 2016-09-08 2017-08-29 Secure Systems Innovation Corporation Method and system for risk measurement and modeling
US10855713B2 (en) * 2017-04-27 2020-12-01 Microsoft Technology Licensing, Llc Personalized threat protection
US10855793B2 (en) * 2017-09-25 2020-12-01 Splunk Inc. Proxying hypertext transfer protocol (HTTP) requests for microservices
JP6933112B2 (en) 2017-11-30 2021-09-08 富士通株式会社 Cyber attack information processing program, cyber attack information processing method and information processing equipment
JP7105096B2 (en) * 2018-04-18 2022-07-22 株式会社日立システムズ Threat information sharing system and method between multiple organizations
CN110911151B (en) 2019-11-29 2021-08-06 烟台首钢磁性材料股份有限公司 Method for improving coercive force of neodymium iron boron sintered permanent magnet
US20210320945A1 (en) * 2020-04-10 2021-10-14 AttackIQ, Inc. Method for verifying configurations of security technologies deployed on a computer network
US11757904B2 (en) * 2021-01-15 2023-09-12 Bank Of America Corporation Artificial intelligence reverse vendor collation

Also Published As

Publication number Publication date
WO2022249588A1 (en) 2022-12-01
US20240104220A1 (en) 2024-03-28
JP2022180094A (en) 2022-12-06

Similar Documents

Publication Publication Date Title
US11475143B2 (en) Sensitive data classification
AU2019200055B2 (en) Automated secure identification of personal information
CN108319630B (en) Information processing method, information processing device, storage medium and computer equipment
US20200097601A1 (en) Identification of an entity representation in unstructured data
US20090007272A1 (en) Identifying data associated with security issue attributes
US20190073406A1 (en) Processing of computer log messages for visualization and retrieval
US10565311B2 (en) Method for updating a knowledge base of a sentiment analysis system
CN107357902A (en) A kind of tables of data categorizing system and method based on correlation rule
CN101853277A (en) Vulnerability data mining method based on classification and association analysis
CN110795568A (en) Risk assessment method and device based on user information knowledge graph and electronic equipment
US9495639B2 (en) Determining document classification probabilistically through classification rule analysis
US20190087384A1 (en) Learning data selection method, learning data selection device, and computer-readable recording medium
US11531643B2 (en) Computer system and method of evaluating changes to data in a prediction model
CN111586695B (en) Short message identification method and related equipment
Tantithamthavorn et al. Mining a change history to quickly identify bug locations: A case study of the eclipse project
CN114270391A (en) Quantifying privacy impact
CN114118194A (en) System and method for selecting learning model
US11308130B1 (en) Constructing ground truth when classifying data
KR102365429B1 (en) Online mobile survey platform using artificial intelligence to identify unfaithful respondents
US11544600B2 (en) Prediction rationale analysis apparatus and prediction rationale analysis method
US20210271637A1 (en) Creating descriptors for business analytics applications
CN102902705A (en) Locating ambiguities in data
EP4350549A1 (en) Calculator system and cyber security information evaluation method
KR101614551B1 (en) System and method for extracting keyword using category matching
CN110737749B (en) Entrepreneurship plan evaluation method, entrepreneurship plan evaluation device, computer equipment and storage medium

Legal Events

Date Code Title Description
STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: UNKNOWN

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE INTERNATIONAL PUBLICATION HAS BEEN MADE

PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: REQUEST FOR EXAMINATION WAS MADE

17P Request for examination filed

Effective date: 20230320

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

DAV Request for validation of the european patent (deleted)
DAX Request for extension of the european patent (deleted)